ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY. Processing Electronic Card Payments

Size: px
Start display at page:

Download "ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY. Processing Electronic Card Payments"

Transcription

1 ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY Processing Electronic Card Payments Introduction and Policy Aim The Payment Card Industry Data Security Standard (PCI-DSS) is a worldwide information security standard, created to help organisations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. It applies to all organisations that receive, process, store and pass cardholder information. The Royal Borough of Windsor and Maidenhead (the Council) is liable to fines from its merchant bank should it fail to comply with PCI-DSS. This policy is required to ensure compliance with Point 9 and 12 of the PCI-DSS Standard. Policy Statement All card processing activities of the Council will comply with the PCI-DSS industry standard. No activity or technology may obstruct compliance with the PCI DSS. Not covered by this Policy The Council does not accept some cards: American Express, Diners Club, JCB Those Affected by the Policy Anyone performing Council duties or providing Council services facilitating card payments. It applies to Councillors; other organisations conducting Council business; employees; contractual third parties and agents of the Council. Roles and Responsibilities 1. Council Operational support workers must understand and comply with the policy. 2. Council Managers and Team Leaders must ensure their staff understand the policy and are aware of their obligation to comply with it. 3. Senior Systems Accountant must ensure relevant card payment security training is carried out and that staff comply with this policy. 4. ICT Services must manage IT Services and Infrastructure in accordance with the requirements of PCI DSS. Services must comply with this policy to minimise the risk to both customers and the Council. Failure to comply will render the Council liable for fines and may also result in Visa and/or MasterCard preventing transactions from being processed. Policy Compliance This policy is mandatory for all staff. Failure to comply with this procedure may result in disciplinary or other action. Heads of Service are responsible for ensuring that their staff are aware of the policy and that it is complied with. If you do not understand this policy, or how it may apply to you, get advice from your Council manager, or from the Senior Systems Accountant on Policy Owner: Tanith Champion Last Updated: 20 March 2015 Page 1 of 6 Next Review Date: February 2016

2 Option2/Option 5/Option 2. Alternatively Other actions will be taken to encourage compliance, namely: 1. A third party company is under contract to monitor Council compliance with PCI- DSS through quarterly network scans. The Council submits an annual Self- Assessment Questionnaire (SAQ) to prove compliancy. 2. The Council will contractually require all third parties with access to cardholder data to adhere to PCI-DSS requirements. These contracts will clearly define information security responsibilities for contractors. 3. Ad hoc checks will take place to ensure employees are maintaining PCI-DSS security procedures. 4. Annual compliancy confirmation will be sought from all staff processing electronic card payments. Applying the Policy Security Breaches In the event of there being a security breach of data, Staff must contact the appropriate member of Staff See Point 8. The member of staff must then contact parties listed below and ensure that card processing is discontinued immediately. Elavon Customer Services Lloyds (PDQ terminals) Customer Services Staff must also submit an internal Council Security Incident Report. Applying the Policy - Corporate Card Payment Systems The Council has a corporate electronic card payments system which allows various types of income to be paid using a number of means as listed below: Online Telephone Automated Telephone Line Kiosk (card and cash) Online Processing In the first instance customers should make payment for goods and services online using the Pay Online link on the rbwm website, however only certain payments are set up to pay using this method. This is the preferred method and best practice for taking payments. On completion of a successful payment the online system being used will automatically generate an payment confirmation to the customer. This is the only Finance confirmation document that will be received by the customer for the payment. If a customer s payment has been unsuccessful or declined, the customer in the first instance should contact their card provider. The most common reason for a declined transaction is the card provider suspecting the transaction may be fraudulent. If a customer faces difficulty in making a payment then they can Page 2 of 6 Next Review Date: February 2016

3 for assistance or contact the Customer Contact Centre where an agent will answer queries and can take the payment over the telephone. Telephone Processing Various payments can be taken over the telephone by either a Customer Contact Centre agent or specific service officer. Card details must never be written down by any member of staff for a future payment attempt. For all card details which are processed through the corporate payments system, no card details are retained by the authority. There is no internal Council access to full card details as this information is not stored within the Council s IT network. Applying the Policy - Card Payment Terminals (PDQ machines) There are specific services that use PDQ terminals and not the Corporate Payments System. Where these terminals are used the following procedures apply. 1. Customer Present with a Card When the customer is present the card should be processed through the PDQ machine according to the machine instructions. 1.1 If the transaction is successfully processed, the merchant copy should be stored securely (see Storage of Card Details) and the customer copy given to the customer. 1.2 If the transaction is declined, the customer should be advised immediately. The option of paying with a different card should be offered. The customer copy stating that the payment was declined should be given to the customer and the merchant copy should be stored securely (see Storage of Card Details). 2. By Telephone Where card details are provided during a telephone call, these must be processed directly into the PDQ terminal at that time and must not be written down or noted anywhere. 2.1 When card details are being provided in a telephone call these must not be repeated back to the customer in such a way as to be audible to third parties. 2.2 If it is not possible to submit the card details immediately then a call back must be requested or offered. Please refer to Section 2 above By Telephone. 3. Card Details Received In Writing Some customers may provide their card payment information in writing for processing i.e. by fax, in a letter, or by booking form. Customers should be deterred from providing the information in this manner as it is not secure. There is no guarantee that these details have not been intercepted prior to being received by the Council. 3.1 When details have been received by this method they must be processed immediately upon receipt. 3.2 Once the payment has been successfully authorised, the original document showing the full card details must be cross cut shredded. Page 3 of 6 Next Review Date: February 2016

4 If the details have been received by then the must be deleted from the Inbox and the Deleted mail folder. If the requires a response, the card information provided should not be contained within the reply. 3.3 In a situation where it is not possible to process the transaction immediately then the details must be stored in a secure environment such as a locked drawer or cabinet. This is only to be actioned in exceptional circumstances. 3.4 For PDQ records, if the transaction is successfully processed, the merchant copy should be stored until transaction reconciliation complete. 3.5 If the transaction is declined, the customer should be advised immediately. The option of paying with a different card should be offered. The customer copy stating that the payment was declined should be sent to the customer and the merchant copy should be stored within the till drawer or cash box for the duration of the working day. When storing merchant copy receipts these must be treated as a confidential document and should be marked accordingly. Applying the Policy Storage of Card Details 1. Storage of card details on computers in any format (e.g. , Access databases, Excel spreadsheets, USB memory sticks) breaches the Security Standard Regulations. If this occurs the result could be large monetary fines from Visa and MasterCard. This is because there is risk of fraudsters obtaining card details by hacking into computers or storage media which stores cardholder information. 2. Merchant copies of PDQ receipts must be destroyed once transaction reconciliation complete. Applying the Policy Data Retention and Disposal 1. Services are responsible for complying with the council s Information Retention and Disposal Policy which can be found on the Council intranet. 2. Services retaining card data must carry out a review, at least quarterly, to remove data that exceeds requirements defined in the data retention policy. 3. Retained data should be securely disposed of by cross-cut shredding when no longer required. Applying the Policy Electronic Transfer of Data 1.It is strictly prohibited to transfer card data electronically both internally or externally to rbwm. This includes the use of end user messaging technologies. Applying the Policy - Point of Sale(PoS) Card Devices 1. All devices in use must comply with PCI standards. 2. All devices are included in the inventory for rbwm which contains key data identified by the standard. 3. Devices must be periodically inspected to detect tampering or substitution. Page 4 of 6 Next Review Date: February 2016

5 4 Staff using such devices must be trained to be aware of attempted tampering or replacement of devices. 5. Services using such devices must take ownership of their use and adhere to the requirements listed above. Applying the Policy Refunds 1. Corporate Electronic Payments Refunds can only be processed back to the originating card if (a) the card is still valid and (b) if the payment was made either online or via the telephone where customer information has been completed (but not automated payment line or Kiosk card transactions). The refund must be approved by the responsible Service Head via then forwarded to the nominated person. The corporate system is then accessed and the refund is processed back to the source card from which the original transaction was authorised. It is possible to process part refunds where necessary but the refund cannot exceed the original amount. 2. Other Payment Methods Refunds for other payment methods have to be processed by completing Payment Request Form which is processed and paid via the Finance system (Agresso). This is because the original payment does not capture the cardholder s details to facilitate a refund. Contacts If you have any questions about the details in this policy, or have difficulty complying with any part of it, please contact one of the people below. Senior Systems Accountant Head of Finance ICT Security & Information Manager Related Information General information about PCI-DSS can be found at Legal and Regulatory Obligations The Data Protection Act 1998 Principle 7 Appropriate technical and organisation measures should protect Personal Data. Definitions PCI DSS The Payment Card Industry Data Security Standards PSP Payment Service Providers, i.e. Elavon (corporate systems), Lloyds (Cardnet Payments) SAQ Self-Assessment Questionnaire PDQ Process Data Quickly or Pretty Damn Quick CVV Card Verification Value (3 digit code on back of card) CVC Card Verification Code (3 digit code on back of card) PoS Payment locations utilising PDQ card devices Page 5 of 6 Next Review Date: February 2016

6 Page 6 of 6 Next Review Date: February 2016

Fraud - Preparing Data Card Transactions

Fraud - Preparing Data Card Transactions Liverpool Hope University PCI DSS Policy Document Control Date Revision/Amendment Details & Reason Author 26 th March 2015 Updates G. Donelan 23 rd June 2015 Audit Committee 7 th July 2015 University Council

More information

University of York Policy on the Management of Debit/ Credit Card Data

University of York Policy on the Management of Debit/ Credit Card Data University of York Policy on the Management of Debit/ Credit Card Data Version 1.0 25th February 2015 Index 1 Introduction and Policy Statement 1.1 The Payment Card Industry Data Security Standard (PCI

More information

Appendix 1 Payment Card Industry Data Security Standards Program

Appendix 1 Payment Card Industry Data Security Standards Program Appendix 1 Payment Card Industry Data Security Standards Program PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect

More information

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder

More information

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration

More information

PCI Policies 2011. Appalachian State University

PCI Policies 2011. Appalachian State University PCI Policies 2011 Appalachian State University Table of Contents Section 1: State and Contractual Requirements Governing Campus Credit Cards A. Cash Collection Point Approval for Departments B. State Requirements

More information

UW Platteville Credit Card Handling Policy

UW Platteville Credit Card Handling Policy UW Platteville Credit Card Handling Policy Issued: December 2011 Revision History: November 7, 2013; July 11, 2014; November 1, 2014; August 24, 2015 Overview: In order for UW Platteville to accept credit

More information

Ball State University Credit/Debit Card Handling Policy and Procedures

Ball State University Credit/Debit Card Handling Policy and Procedures Ball State University Credit/Debit Card Handling Policy and Procedures I. Background Ball State University accepts payments in various forms including cash, checks and electronic fund transfers. University

More information

TERMINAL CONTROL MEASURES

TERMINAL CONTROL MEASURES UCR Cashiering & Payment Card Services TERMINAL CONTROL MEASURES Instructions: Upon completion, please sign and return to cashandmerchant@ucr.edu when requesting a stand-alone dial up terminal. The University

More information

Finance & Ecommerce Systems

Finance & Ecommerce Systems Finance & Ecommerce Systems Prepared by: Colette Elson Issued: November 2013 November 2013 Page 1 Contents Page 1 Introduction 2 Responsibility 3 The PCI Data Security Standard 4 PCI DSS Requirements 5

More information

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business DELAWARE COLLEGE OF ART AND DESIGN 600 N MARKET ST WILMINGTON DELAWARE 19801 302.622.8000 INFORMATION SECURITY POLICY including Policy for Credit Card Acceptance to Conduct College Business stuff\policies\security_information_policy_with_credit_card_acceptance.doc

More information

Accounting and Administrative Manual Section 100: Accounting and Finance

Accounting and Administrative Manual Section 100: Accounting and Finance No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security

More information

Credit and Debit Card Transaction Procedures. University of Bath

Credit and Debit Card Transaction Procedures. University of Bath Credit and Debit Card Transaction Procedures University of Bath Table of Contents Introduction Ethics and Acceptable Use Policies Credit and Debit Card Transactions Protection of Stored Data Protection

More information

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect

More information

Clark University's PCI Compliance Policy

Clark University's PCI Compliance Policy ï» Clark University's PCI Compliance Policy Who Should Read this Policy: All persons who have access to credit card information, including: Every employee that accesses handles or maintains credit card

More information

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry

More information

Credit Card Handling Security Standards

Credit Card Handling Security Standards Credit Card Handling Security Standards Overview This document is intended to provide guidance to merchants (colleges, departments, auxiliary organizations or individuals) regarding the processing of charges

More information

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES This document describes Eastern Oklahoma State College s policy and procedures for the proper

More information

LSE PCI-DSS Cardholder Data Environments Information Security Policy

LSE PCI-DSS Cardholder Data Environments Information Security Policy LSE PCI-DSS Cardholder Data Environments Information Security Policy Written By: Jethro Perkins, Information Security Manager Reviewed By: Ali Lindsley, PCI-DSS Project Manager Endorsed By: PCI DSS project

More information

Credit and Debit Card Handling Policy Updated October 1, 2014

Credit and Debit Card Handling Policy Updated October 1, 2014 Credit and Debit Card Handling Policy Updated October 1, 2014 City of Parkville 8880 Clark Ave. Parkville, MO 64152 Hours: 8:00-5:00 p.m. Monday -Friday Phone Number 816-741-7676 Email: cityhall@parkvillemo.gov

More information

b. USNH requires that all campus organizations and departments collecting credit card receipts:

b. USNH requires that all campus organizations and departments collecting credit card receipts: USNH Payment Card Industry Data Security Standard (PCI DSS) Version 3 Administration and Department Policy Draft Revision 3/12/2013 1. Purpose. The purpose of this policy is to assist the University System

More information

Purpose: To comply with the Payment Card Industry Data Security Standards (PCI DSS)

Purpose: To comply with the Payment Card Industry Data Security Standards (PCI DSS) Procedure Credit Card Handling and Security for Departments/Divisions and Elected/Appointed Offices Last Update: January 19, 2016 References: Credit Card Payments Policy Purpose: To comply with the Payment

More information

. Merchant Accounts are special bank accounts issued by a merchant. . Merchant Level: This classification is based on transaction volume.

. Merchant Accounts are special bank accounts issued by a merchant. . Merchant Level: This classification is based on transaction volume. Credit Card Procedures and Policies Texas A&M Health Science Center offers university departments the convenience of accepting credit cards in payment for goods and services provided. All University departments

More information

Information Technology

Information Technology Credit Card Handling Security Standards Overview Information Technology This document is intended to provide guidance to merchants (colleges, departments, organizations or individuals) regarding the processing

More information

CREDIT CARD PROCESSING POLICY AND PROCEDURES

CREDIT CARD PROCESSING POLICY AND PROCEDURES CREDIT CARD PROCESSING POLICY AND PROCEDURES Note: For purposes of this document, debit cards are treated the same as credit cards. Any reference to credit cards includes credit and debit card transactions.

More information

Payment Card Industry Data Security Standard PCI DSS

Payment Card Industry Data Security Standard PCI DSS Payment Card Industry Data Security Standard PCI DSS What is PCI DSS? Requirements developed by the five card brands: VISA, Mastercard, AMEX, JCB and Discover. Their aim was to put together a common set

More information

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS) CSU, Chico Credit Card Handling Security Standard Effective Date: July 28, 2015 1.0 INTRODUCTION This standard provides guidance to ensure that credit card acceptance and ecommerce processes comply with

More information

http://www4.uwm.edu/bfs/depts/acct/creditcardacceptance/credit-card-acceptance.cfm

http://www4.uwm.edu/bfs/depts/acct/creditcardacceptance/credit-card-acceptance.cfm Section: Accounting Revised Date: 05/31/2011 Procedure: 2.2.23 Credit Card Acceptance Home Page http://www4.uwm.edu/bfs/depts/acct/creditcardacceptance/credit-card-acceptance.cfm Operating Principles:

More information

Payment Card Acceptance Administrative Policy

Payment Card Acceptance Administrative Policy Administrative Procedure Approved By: Brandon Gilliland, Associate Vice President for Finance & Controller Effective Date: October 1, 2014 History: Approval Date: September 25, 2014 Revisions: Type: Administrative

More information

6-8065 Payment Card Industry Compliance

6-8065 Payment Card Industry Compliance 0 0 0 Yosemite Community College District Policies and Administrative Procedures No. -0 Policy -0 Payment Card Industry Compliance Yosemite Community College District will comply with the Payment Card

More information

Office of Finance and Treasury

Office of Finance and Treasury Office of Finance and Treasury How to Accept & Process Credit and Debit Card Transactions Procedure Related Policy Title Credit Card Processing Policy For University Merchant Locations Responsible Executive

More information

Cash & Banking Procedures

Cash & Banking Procedures Financial Policies and Procedures Cash & Banking Procedures 1 P a g e Contents 1. Banking Procedures 1.1 Receipt of cash and cheques within a department 1.2 Storage/security of cash and cheques within

More information

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY PURPOSE The Payment Card Industry Data Security Standard was established by the credit card industry in response to an increase in identify theft

More information

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 Effective Date of this Policy: August 1, 2008 Last Revision: September 1, 2009 Contact for More Information: UDit Internal Auditor

More information

McGill Merchant Manual

McGill Merchant Manual McGill Merchant Manual The McGill Merchant Manual is a complementary document to the Merchant (PCI) Policy and Procedures and serves to aid Merchants in ensuring their operations comply with Payment Card

More information

SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES

SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES POLICY STATEMENT Introduction Some San Diego State University Research Foundation

More information

University Policy Accepting and Handling Payment Cards to Conduct University Business

University Policy Accepting and Handling Payment Cards to Conduct University Business BROWN UNIVERSITY University Policy Accepting and Handling Payment Cards to Conduct University Business Table of Contents Purpose... 2 Scope... 2 Authorization... 2 Establishing a new account... 2 Policy

More information

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements

More information

University of Liverpool

University of Liverpool University of Liverpool Card Payment Policy Reference Number Title Version Number 1.0 Document Status Document Classification FIN-001 Card Payment Policy Active Public Effective Date 03 June 2014 Review

More information

Accepting Payment Cards and ecommerce Payments

Accepting Payment Cards and ecommerce Payments Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont

More information

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Mission Statement Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance

More information

Payment Card Industry Data Security Standards.

Payment Card Industry Data Security Standards. Payment Card Industry Data Security Standards. Your guide to protecting cardholder data Helping you manage the risk. Credit Card fraud and data compromises are an increasingly serious problem, costing

More information

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS: Boston College Policy ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS: PURPOSE OF POLICY: The purpose of this policy is to establish procedures for accepting payment cards at Boston College

More information

Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration

Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration Andrews University Payment Card Acceptance Policies & Procedures Prepared by Financial Administration July 12, 2011 Part I: Introduction of Policy and Purpose Formatted: Font: 12 pt In order to protect

More information

University of Sunderland Business Assurance PCI Security Policy

University of Sunderland Business Assurance PCI Security Policy University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial

More information

Standards for Business Processes, Paper and Electronic Processing

Standards for Business Processes, Paper and Electronic Processing Payment Card Acceptance Information and Procedure Guide (for publication on the Treasury Webpages) A companion guide to University policy 6120, Payment Card Acceptance Standards for Business Processes,

More information

POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101. DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101. DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101 DIVISION: Finance & Administration TITLE: Policy & Procedures for Credit Card Merchants DATE: October 24, 2011 Authorized by: K. Ann Mead, VP for Finance & Administration

More information

Finance Office. Card Handling Policy

Finance Office. Card Handling Policy Finance Office Card Handling Policy Prepared by: Lyndsay Brown Issued: November 2012 1 Contents Page 1 Introduction 3 2 Responsibility 3 3 The PCI Data Security Standard 3 4 PCI DSS Requirements 4 5 Receiving/

More information

UNIVERSITY COLLEGE CORK BANK ACCOUNT PROCEDURES

UNIVERSITY COLLEGE CORK BANK ACCOUNT PROCEDURES UNIVERSITY COLLEGE CORK BANK ACCOUNT PROCEDURES Procedure to open a Bank Account 1. INTRODUCTION A Department s need for a Bank account can arise in a number of ways, to take conference fee income, take

More information

The Design Society. Information Security Policy

The Design Society. Information Security Policy The Design Society Policies and Forms That Conform to PCI DSS SAQ A Version 2.0 June 2014 About this Document This document contains The Design Society information security policies. This document is

More information

POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS

POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS Publication Date 2009-08-11 Issued by: Financial Services Chief Information Officer Revision V 1.0 POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS Overview: There

More information

CREDIT CARD NUMBER HANDLING PROCEDURES POLICY. 2014 October

CREDIT CARD NUMBER HANDLING PROCEDURES POLICY. 2014 October CREDIT CARD NUMBER HANDLING PROCEDURES POLICY 2014 October Royal Roads University Page 1 of 6 21 October 2014 Table of Contents Policy Statement... 3 Rationale... 3 Applicability of the Policy... 3 Definitions...

More information

University of Virginia Credit Card Requirements

University of Virginia Credit Card Requirements University of Virginia Credit Card Requirements The University of Virginia recognizes that e-commerce is critical for the efficient operation of the University, and in particular for collecting revenue.

More information

PCI General Policy. Effective Date: August 2008. Approval: December 17, 2015. Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

PCI General Policy. Effective Date: August 2008. Approval: December 17, 2015. Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS: Effective Date: August 2008 Approval: December 17, 2015 PCI General Policy Maintenance of Policy: Office of Student Accounts PURPOSE: To protect against the exposure and possible theft of account and personal

More information

POLICY SECTION 509: Electronic Financial Transaction Procedures

POLICY SECTION 509: Electronic Financial Transaction Procedures Page 1 POLICY SECTION 509: Electronic Financial Transaction Procedures Source: NDSU President NDSU VP for Finance and Administration NDSU VP for Information Technology A. Purpose / Rationale Many NDSU

More information

3. Internet Credit Card Processing System generates a daily batch release report 4. Reporting Deposits to the University Depository

3. Internet Credit Card Processing System generates a daily batch release report 4. Reporting Deposits to the University Depository Internal Credit/Debit Card Processing Policies and Procedures for University of Tennessee Merchants Merchant: DBA Effective: Date Reviewed: Date Revised: Date 1. General Statement 2. Point-of-Sale Processing

More information

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format. Policy Number: 339 Policy Title: Credit Card Processing Policy, Procedure, & Standards Review Date: 07-23-15 Approval Date: 07-27-15 POLICY: All individuals involved in handling credit and debit card transactions

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard Abhinav Goyal, B.E.(Computer Science) MBA Finance Final Trimester Welingkar Institute of Management ISACA Bangalore chapter 13 th February 2010 Credit Card

More information

Dartmouth College Merchant Credit Card Policy for Processors

Dartmouth College Merchant Credit Card Policy for Processors Mission Statement Dartmouth College Merchant Credit Card Policy for Processors Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance with the

More information

How To Complete A Pci Ds Self Assessment Questionnaire

How To Complete A Pci Ds Self Assessment Questionnaire Department PCI Self-Assessment Questionnaire Version 1.1 2009 Attestation of Compliance Instructions for Submission This Department PCI Self-Assessment Questionnaire has been developed as an assessment

More information

Approved and commenced March 2015 Review by March, 2017 CONTENTS

Approved and commenced March 2015 Review by March, 2017 CONTENTS Related Policy Responsible Officer Approved by Approved and commenced March 2015 Review by March, 2017 Responsible Organisational Unit CONTENTS Cashiering and Revenue Collection Procedure Invoicing & Receivables

More information

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data PCI Training for Retail Jamboree Staff Volunteers Securing Cardholder Data Securing Cardholder Data Introduction This PowerPoint presentation is designed to educate Retail Jamboree Staff volunteers on

More information

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standards Payment Card Industry Data Security Standards PCI DSS Rhonda Chorney Manager, Revenue Capital & General Accounting Today s Agenda 1. What is PCI DSS? 2. Where are we today? 3. Why is compliance so important?

More information

Credit Card Processing and Security Policy

Credit Card Processing and Security Policy Credit Card Processing and Security Policy Policy Number: Reserved for future use Responsible Official: Vice President of Administration and Finance Responsible Office: Student Account Services Effective

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS

ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS UNIVERSITY OF NORTH DAKOTA FINANCE & OPERATIONS POLICY LIBRARY ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS Policy 2.3, Accepting Credit Cards and Electronic Checks to Conduct

More information

Saint Louis University Merchant Card Processing Policy & Procedures

Saint Louis University Merchant Card Processing Policy & Procedures Saint Louis University Merchant Card Processing Policy & Procedures Overview: Policies and procedures for processing credit card transactions and properly storing credit card data physically and electronically.

More information

Viterbo University Credit Card Processing & Data Security Procedures and Policy

Viterbo University Credit Card Processing & Data Security Procedures and Policy The requirements for PCI-DSS compliance are quite numerous and at times extremely complicated due to their interdependent nature and scope. The University has deemed it necessary for those areas currently

More information

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL PAYMENT CARD INDUSTRY COMPLIANCE (PCI) Effective June 1, 2011 Page 1 of 6 (1) Definitions a. Payment Card Industry Data Security Standards (PCI-DSS): A set of standards established by the Payment Card

More information

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants Appendix 2 PCI DSS Payment Card Industry Data Security Standard Merchant compliance guidelines for level 4 merchants CONTENTS 1. What is PCI DSS? 2. Why become compliant? 3. What are the requirements?

More information

University of St Andrews. Unit Income and Cash Handling Policy

University of St Andrews. Unit Income and Cash Handling Policy University of St Andrews Unit Income and Cash Handling Policy Last reviewed 17 September 2014 CONTENTS page 1 Introduction and Policy Statement 3 2 Cash Free Units 3 3 Securing Cash 3 4 Receipting Cash

More information

PCI Data Security. Information Services & Cash Management. Contents

PCI Data Security. Information Services & Cash Management. Contents PCI Data Security Information Services & Cash Management This self-directed learning module contains information you are expected to know to protect yourself, our patients, and our guests. Target Audience:

More information

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment

More information

SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures

SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures Page 1 SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures SOURCE: NDSU President NDSU VP for Finance and Administration NDSU VP for Information Technology It is the University s responsibility

More information

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents UNL PAYMENT CARD POLICY AND PROCEDURES Table of Contents Payment Card Merchant Security Standards Policy and Procedures... 2 Introduction... 4 Payment Card Industry Data Security Standard... 4 Definitions...

More information

New York University University Policies

New York University University Policies New York University University Policies Title: Payment Card Industry Data Security Standard Policy Effective Date: April 11, 2012 Supersedes: N/A Issuing Authority: Executive Vice President for Finance

More information

Frequently Asked Questions

Frequently Asked Questions PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply

More information

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account

More information

PCI Data Security and Classification Standards Summary

PCI Data Security and Classification Standards Summary PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers

More information

Questions and Answers PCI Compliance (Updated May 23, 2014)

Questions and Answers PCI Compliance (Updated May 23, 2014) Questions and Answers PCI Compliance (Updated ) The Alberta government is working toward PCI compliance, an industry standard created by the credit card industry to improve cardholder data security. The

More information

PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson

PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson Overview What is PCI? MCCS Compliance PCI DSS Technical Requirements MCCS Information Security Policies

More information

688 Sherbrooke Street West, Room 730 James Administration Building, Room 524

688 Sherbrooke Street West, Room 730 James Administration Building, Room 524 'McGill Sylvia Franke, LL.B., B.Sc. Albert Caponi, C.A. Chief Information Officer Assistant Vice-Principal (Financial Services) 688 Sherbrooke Street West, Room 730 James Administration Building, Room

More information

f. Develop and maintain secure systems and applications; h. Assign a unique ID to each person with computer access;

f. Develop and maintain secure systems and applications; h. Assign a unique ID to each person with computer access; CREDIT CARD INFORMATION STORAGE AND RETENTION GENERAL 1. The Director General Morale and Welfare Services (DGMWS) is committed to protecting the privacy of credit card information that is held and stored

More information

How To Protect Your Business From A Hacker Attack

How To Protect Your Business From A Hacker Attack Payment Card Industry Data Security Standards The payment card industry data security standard PCI DSS Visa and MasterCard have developed the Payment Card Industry Data Security Standard or PCI DSS as

More information

BUSINESS POLICY. TO: All Members of the University Community 2012:12. CREDIT CARD PROCESSING AND SECURITY POLICY (Supersedes Policy 2009:05)

BUSINESS POLICY. TO: All Members of the University Community 2012:12. CREDIT CARD PROCESSING AND SECURITY POLICY (Supersedes Policy 2009:05) BUSINESS POLICY TO: All Members of the University Community 2012:12 DATE: April 2012 CREDIT CARD PROCESSING AND SECURITY POLICY (Supersedes Policy 2009:05) Contents Section 1 Policy Statement... 2 Section

More information

Merchant guide to PCI DSS

Merchant guide to PCI DSS Merchant guide to PCI DSS Contents What is PCI DSS and why was it introduced?... 3 Who needs to become PCI DSS compliant?... 3 BOIPA Simple PCI DSS - 3 step approach to helping businesses... 3 What does

More information

Merchant Card Processing Best Practices

Merchant Card Processing Best Practices Merchant Card Processing Best Practices Background: The major credit card companies (VISA, MasterCard, Discover, and American Express) have published a uniform set of data security standards that ALL merchants

More information

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Payment Card Industry (PCI) Policy Manual. Network and Computer Services Payment Card Industry (PCI) Policy Manual Network and Computer Services Forward This policy manual outlines acceptable use Black Hills State University (BHSU) or University herein, Information Technology

More information

2.1.2 CARDHOLDER DATA SECURITY

2.1.2 CARDHOLDER DATA SECURITY University of Oxford Finance Division FINANCIAL POLICY 2.1.2 CARDHOLDER DATA SECURITY Date: 21 March 2013 Version: 2.1.2 Status: Approved Author: Simon Blee Bridget Midwinter TABLE OF CONTENTS Page EXECUTIVE

More information

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS: Boston College Policy ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS: PURPOSE OF POLICY: The purpose of this policy is to establish procedures for accepting payment cards at Boston College

More information

Complying with PCI is a necessary step in safely accepting Payment Cards.

Complying with PCI is a necessary step in safely accepting Payment Cards. What Every Director Needs to Know About Credit Cards & Patron Privacy Complying with PCI is a necessary step in safely accepting Payment Cards. Know the Risks! Some Interesting Facts: 94% of data breaches

More information

PCI Compliance. Top 10 Questions & Answers

PCI Compliance. Top 10 Questions & Answers PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements

More information

Huddersfield New College Further Education Corporation

Huddersfield New College Further Education Corporation Huddersfield New College Further Education Corporation Card Payments Policy (including information security and refunds) 1.0 Policy Statement Huddersfield New College Finance Office handles sensitive cardholder

More information

Your Compliance Classification Level and What it Means

Your Compliance Classification Level and What it Means General Information What are the Payment Card Industry (PCI) Data Security Standards? The PCI Data Security Standards represents a common set of industry tools and measurements to help ensure the safe

More information

05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013 05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of

More information

PCI Compliance Overview

PCI Compliance Overview PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)

More information